Nginx默认虚拟主机
更改nginx.conf
[root@zyshanlinux-001 ~]# vim /usr/local/nginx/conf/nginx.conf [root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -t ##改完检查语法 nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
fastcgi_intercept_errors on; tcp_nodelay on; gzip on; gzip_min_length 1k; gzip_buffers 4 8k; gzip_comp_level 5; gzip_http_version 1.1; gzip_types text/plain application/x-javascript text/css text/htm application/xml; include vhost/*.conf; ##记得加“;” }
根据上面的配置文件,创建vhost目录,进入该目录新建aaa.com.conf文件;创建/data/wwwroot/default目录,进入该目录新建index.html文件,最后检查语法。
[root@zyshanlinux-001 ~]# cd /usr/local/nginx/conf [root@zyshanlinux-001 conf]# pwd /usr/local/nginx/conf [root@zyshanlinux-001 conf]# mkdir vhost [root@zyshanlinux-001 conf]# cd vhost/ [root@zyshanlinux-001 vhost]# ls [root@zyshanlinux-001 vhost]# vim aaa.com.conf ++++++++++++++++++++++++++++++++++++++++++++++++++▶ server { listen 80 default_server; // 有这个标记的就是默认虚拟主机 server_name aaa.com; index index.html index.htm index.php; root /data/wwwroot/default; } ++++++++++++++++++++++++++++++++++++++++++++++++++◀ [root@zyshanlinux-001 vhost]# mkdir /data/wwwroot/default [root@zyshanlinux-001 vhost]# cd !$ cd /data/wwwroot/default [root@zyshanlinux-001 default]# ls [root@zyshanlinux-001 default]# echo “This is a default site.”>/data/wwwroot/default/index.html [root@zyshanlinux-001 default]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
检查语法没错误,重启或重新加载配置。
[root@zyshanlinux-001 default]# /etc/init.d/nginx restart ##重启或者 [root@zyshanlinux-001 default]# /usr/local/nginx/sbin/nginx -s reload ##重新加载
测试:不管访问什么域名,这个默认虚拟主机。只要解析过来,指向该服务器,都能访问到这个站点
[root@zyshanlinux-001 default]# curl localhost ##原来的是默认页,现在变成我们配置的 This is a default site. [root@zyshanlinux-001 default]# ls ##就是刚刚定义的index.html index.html [root@zyshanlinux-001 default]# curl -x127.0.0.1:80 aaa.com This is a default site. [root@zyshanlinux-001 default]# curl -x127.0.0.1:80 bbb.com This is a default site. [root@zyshanlinux-001 default]# curl -x127.0.0.1:80 ccc.com This is a default site.
总结
定义默认虚拟主机有两种方法:
第一种,把它放在第一个位置。怎么定义它的位置呢?按字符的优先,就是把名字开头改为0或a
[root@zyshanlinux-001 default]# cd /usr/local/nginx/conf/ [root@zyshanlinux-001 conf]# ls fastcgi.conf koi-utf nginx.conf scgi_params.default win-utf fastcgi.conf.default koi-win nginx.conf.bak uwsgi_params fastcgi_params mime.types nginx.conf.default uwsgi_params.default fastcgi_params.default mime.types.default scgi_params vhost [root@zyshanlinux-001 conf]# ls vhost/ aaa.com.conf [root@zyshanlinux-001 conf]# tail nginx.conf tcp_nodelay on; gzip on; gzip_min_length 1k; gzip_buffers 4 8k; gzip_comp_level 5; gzip_http_version 1.1; gzip_types text/plain application/x-javascript text/css text/htm application/xml; include vhost/*.conf; }
第二种,加上特殊的标记位。
[root@zyshanlinux-001 conf]# cat vhost/aaa.com.conf server { listen 80 default_server; ##特殊标记位default_server server_name aaa.com; index index.html index.htm index.php; root /data/wwwroot/default; }
还有一个知识点:nginx.conf支持include这样的语法。
[root@zyshanlinux-001 conf]# tail nginx.conf tcp_nodelay on; gzip on; gzip_min_length 1k; gzip_buffers 4 8k; gzip_comp_level 5; gzip_http_version 1.1; gzip_types text/plain application/x-javascript text/css text/htm application/xml; include vhost/*.conf; }
Nginx用户认证
1、针对整个网址的。
创建test.com.conf的虚拟主机
[root@zyshanlinux-001 ~]# cd /usr/local/nginx/conf/ [root@zyshanlinux-001 conf]# cd vhost/ [root@zyshanlinux-001 vhost]# ls aaa.com.conf [root@zyshanlinux-001 vhost]# vim test.com.conf
配置文件
server { listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com; location / ##用户认证相关的配置 { auth_basic "Auth"; ##定义用户认证的名字 auth_basic_user_file /usr/local/nginx/conf/htpasswd; ##用户名密码认证 } }
生成密码文件,用到apache生成密码文件的工具,如果没有就安装下 yum install -y httpd
[root@zyshanlinux-001 vhost]# /usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd zyshan New password: Re-type new password: Adding password for user zyshan [root@zyshanlinux-001 vhost]# cat /usr/local/nginx/conf/htpasswd ##查看生成的密码文件 zyshan:$apr1$Wfuh6a2Z$pXTYIGYug84CTiduJcK0.. [root@zyshanlinux-001 vhost]# /usr/local/apache2.4/bin/htpasswd /usr/local/nginx/conf/htpasswd user1 ##第二次创建不用-c选项,否则会重置密码文件(覆盖) New password: Re-type new password: Adding password for user user1 [root@zyshanlinux-001 vhost]# cat /usr/local/nginx/conf/htpasswd zyshan:$apr1$Wfuh6a2Z$pXTYIGYug84CTiduJcK0.. user1:$apr1$I/L6rpaC$Jc.tewej8VPa7YbpohfJ5.
检查语法,重新加载配置:重新加载的好处是如果配置文件有错是不会生效的,不会破坏配置文件。
[root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload [root@zyshanlinux-001 vhost]#
测试:
curl测试,报401需要用户认证
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test.com -I HTTP/1.1 401 Unauthorized Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 11:20:39 GMT Content-Type: text/html Content-Length: 195 Connection: keep-alive WWW-Authenticate: Basic realm="Auth"
加上用户密码,继续curl测试,报404错误,找到该目录,是因为还没创建该网页的根目录。
[root@zyshanlinux-001 vhost]# curl -uzyshan:zyshan -x127.0.0.1:80 test.com -I HTTP/1.1 404 Not Found Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 11:22:41 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
确实是没有这个根目录,创建目录,在创建的目录中新建一个Index.html
[root@zyshanlinux-001 vhost]# ls /data/wwwroot/test.com ls: 无法访问/data/wwwroot/test.com: 没有那个文件或目录 [root@zyshanlinux-001 vhost]# mkdir /data/wwwroot/test.com [root@zyshanlinux-001 vhost]# echo "test.com" > /data/wwwroot/test.com/index.html
测试成功,状态码200。
[root@zyshanlinux-001 vhost]# curl -uzyshan:zyshan -x127.0.0.1:80 test.com -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 11:24:32 GMT Content-Type: text/html Content-Length: 9 Last-Modified: Thu, 05 Jul 2018 11:24:21 GMT Connection: keep-alive ETag: "5b3dffe5-9" Accept-Ranges: bytes [root@zyshanlinux-001 vhost]# curl -uzyshan:zyshan -x127.0.0.1:80 test.com test.com
2、针对一个目录的用户认证。
[root@zyshanlinux-001 vhost]# !vim vim test.com.conf
配置文件增加目录
server { listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com; location /admin/ ##添加认证的目录 { auth_basic "Auth"; auth_basic_user_file /usr/local/nginx/conf/htpasswd; } }
检查语法,加载配置
[root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
创建测试目标页面
[root@zyshanlinux-001 vhost]# mkdir /data/wwwroot/test.com/admin [root@zyshanlinux-001 vhost]# echo "test.com admin dir" > /data/wwwroot/test.com/admin/index.html
测试:
curl测试,目录认证401;加上用户密码,认证通过。
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test.com/admin/ -I HTTP/1.1 401 Unauthorized Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 11:35:26 GMT Content-Type: text/html Content-Length: 195 Connection: keep-alive WWW-Authenticate: Basic realm="Auth" [root@zyshanlinux-001 vhost]# curl -uzyshan:zyshan -x127.0.0.1:80 test.com/admin/ test.com admin dir
3、针对的访问url的认证
修改配置
[root@zyshanlinux-001 vhost]# !vim vim test.com.conf
在配置中匹配(~)admin.php
server { listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com; location ~ admin.php ##匹配admin.php { auth_basic "Auth"; auth_basic_user_file /usr/local/nginx/conf/htpasswd; } }
检查语法,加载配置
[root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
测试,访问admin.php就显示401
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test.com/admin/ test.com admin dir [root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test.com/admin.php <html> <head><title>401 Authorization Required</title></head> <body bgcolor="white"> <center><h1>401 Authorization Required</h1></center> <hr><center>nginx/1.12.1</center> </body> </html>
创建测试目标页面
[root@zyshanlinux-001 vhost]# vim /data/wwwroot/test.com/admin.php [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
测试成功,输入用户密码。
[root@zyshanlinux-001 vhost]# curl -uzyshan:zyshan -x127.0.0.1:80 test.com/admin.php <?php admin.php;
总结:
location跟“/”,就是针对全站;
location跟目录,就是针对目录;
location跟“~”匹配,就是针对url。
Nginx域名重定向
修改配置文件,添加多个域名。
[root@zyshanlinux-001 vhost]# vim test.com.conf server { listen 80; server_name test.com test2.com test3.com; index index.html index.htm index.php; root /data/wwwroot/test.com; if ($host != 'test.com' ) { rewrite ^/(.*)$ http://test.com/$1 permanent; } }
测试:状态码301,Location: http://test.com/index.html重定向到该网址
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test2.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 12:41:14 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/index.html [root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test3.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 12:42:49 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html
这个会去访问默认虚拟主机aaa.com.conf,而不是test.com.conf。
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test4.com/admin/index.html -I HTTP/1.1 404 Not Found Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 12:43:01 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
Nginx访问日志
日志格式
vim /usr/local/nginx/conf/nginx.conf //搜索log_format
| $remote_addr | 客户端IP(公网IP) |
|---|---|
| $http_x_forwarded_for | 代理服务器的IP |
| $time_local | 服务器本地时间 |
| $host | 访问主机名(域名) |
| $request_uri | 访问的url地址 |
| $status | 状态码 |
| $http_referer | referer |
| $http_user_agent | user_agent |
自定义格式名字
[root@zyshanlinux-001 vhost]# vim ../nginx.conf
除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件中增加
access_log /tmp/test.com.log zyshan;
这里的zyshan就是在nginx.conf中定义的日志格式名字
[root@zyshanlinux-001 vhost]# vim test.com.conf
检查语法,加载配置
[root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
测试
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test3.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 13:08:40 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html [root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 test2.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 13:08:49 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html [root@zyshanlinux-001 vhost]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:21:08:40 +0800] test3.com "/admin/index.html" 301 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:08:49 +0800] test2.com "/admin/index.html" 301 "-" "curl/7.29.0"
日志的格式就是定义的参数。
Nginx日志切割
Nginx没有自带的日志切割工具,必须借助系统来切割或者自己写切割脚本。
自定义shell切割脚本,shell脚本以后默认放到/usr/local/sbin/路径下
vim /usr/local/sbin/nginx_log_rotate.sh #! /bin/bash d=`date -d "-1 day" +%Y%m%d` logdir="/tmp/" nginx_pid="/usr/local/nginx/logs/nginx.pid" cd $logdir for log in `ls *.log` do mv $log $log-$d done /bin/kill -HUP `cat $nginx_pid`
测试脚本
[root@zyshanlinux-001 vhost]# sh -x /usr/local/sbin/nginx_logrotate.sh ++ date -d '-1 day' +%Y%m%d + d=20180704 + logdir=/tmp/ + nginx_pid=/usr/local/nginx/logs/nginx.pid + cd /tmp/ ++ ls php_errors.log test.com.log + for log in '`ls *.log`' + mv php_errors.log php_errors.log-20180704 + for log in '`ls *.log`' + mv test.com.log test.com.log-20180704 ++ cat /usr/local/nginx/logs/nginx.pid + /bin/kill -HUP 1150 [root@zyshanlinux-001 vhost]# ls /tmp/ mysql.sock pear php_errors.log-20180704 php-fcgi.sock systemd-private-8705ed05ba92468380893f87570920eb-chronyd.service-LjAKI3 systemd-private-8705ed05ba92468380893f87570920eb-vgauthd.service-RZTfGw systemd-private-8705ed05ba92468380893f87570920eb-vmtoolsd.service-jg7ImD test.com.log test.com.log-20180704
定期清除日志,找到30天前的日志并删除,由于没有所以报错;不用30天,就直接删除成功了。
[root@zyshanlinux-001 vhost]# find /tmp/ -name *.log-* -type f -mtime +30 |xargs rm rm: 缺少操作数 Try 'rm --help' for more information. [root@zyshanlinux-001 vhost]# find /tmp/ -name *.log-* -type f /tmp/php_errors.log-20180704 /tmp/test.com.log-20180704
写完脚本后还需要加一个任务计划。
[root@zyshanlinux-001 vhost]# crontab -e 0 0 * * * /bin/bash /usr/local/sbin/nginx_logrotate.sh
静态文件不记录日志和过期时间
配置文件:[root@zyshanlinux-001 vhost]# vim test.com.conf
server { listen 80; server_name test.com test2.com test3.com; index index.html index.htm index.php; root /data/wwwroot/test.com; if ($host != 'test.com' ) { rewrite ^/(.*)$ http://test.com/$1 permanent; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ ##竖线表示或者的意思,前面的“\.”脱义是为了精准 { expires 7d; ##配置过期时间,可以长点 access_log off; } location ~ .*\.(js|css)$ { expires 12h; ##时间可以短点 access_log off; } access_log /tmp/test.com.log zyshan; }
检查语法,加载配置
[root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload
测试用的文件创建
[root@zyshanlinux-001 vhost]# cd /data/wwwroot/test.com/ [root@zyshanlinux-001 test.com]# ls admin admin.php index.html [root@zyshanlinux-001 test.com]# vim 1.gif [root@zyshanlinux-001 test.com]# vim 2.js
测试静态文件不记录日志
[root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 test.com/1.gif djfijdifjei [root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 test.com/2.js djfkdjk [root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 test.com/index.html test.com [root@zyshanlinux-001 test.com]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:21:50:44 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" [root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 test.com/index.html test.com [root@zyshanlinux-001 test.com]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:21:50:44 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:52:09 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" [root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 test.com/2.js djfkdjk [root@zyshanlinux-001 test.com]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:21:50:44 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:52:09 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" [root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 test.com/2.jshuh <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.12.1</center> </body> </html> [root@zyshanlinux-001 test.com]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:21:50:44 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:52:09 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:52:51 +0800] test.com "/2.jshuh" 404 "-" "curl/7.29.0"
测试过期时间
[root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 -I test.com/2.js HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 13:55:49 GMT Content-Type: application/javascript Content-Length: 8 Last-Modified: Thu, 05 Jul 2018 13:49:35 GMT Connection: keep-alive ETag: "5b3e21ef-8" Expires: Fri, 06 Jul 2018 01:55:49 GMT Cache-Control: max-age=43200 ##过期时间,是由配置文件expires 7d;定义的 Accept-Ranges: bytes
修改配置文件
[root@zyshanlinux-001 test.com]# vi /usr/local/nginx/conf/vhost/test.com.conf # expires 12h; ##把这句注释掉
过期时间消失
[root@zyshanlinux-001 test.com]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 test.com]# /usr/local/nginx/sbin/nginx -s reload [root@zyshanlinux-001 test.com]# curl -x127.0.0.1:80 -I test.com/2.js HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:00:20 GMT Content-Type: application/javascript Content-Length: 8 Last-Modified: Thu, 05 Jul 2018 13:49:35 GMT Connection: keep-alive ETag: "5b3e21ef-8" Accept-Ranges: bytes
Nginx防盗链
修改配置文件:[root@zyshanlinux-001 ~]# vi /usr/local/nginx/conf/vhost/test.com.conf
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; ##加入白名单 if ($invalid_referer) { return 403; } access_log off; }
测试
[root@zyshanlinux-001 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:17:44 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@zyshanlinux-001 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:17:20 GMT Content-Type: image/gif Content-Length: 12 Last-Modified: Thu, 05 Jul 2018 13:49:22 GMT Connection: keep-alive ETag: "5b3e21e2-c" Expires: Thu, 12 Jul 2018 14:17:20 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
Nginx访问控制
配置文件:vi /usr/local/nginx/conf/vhost/test.com.conf 添加下面这段
apache的allow和deny是有顺序的,最后的一个才决定是allow还是deny;而nginx是从上往下匹配,匹配成功就不往下匹配了。
1、针对目录的访问控制:
location /admin/ { allow 127.0.0.1; allow 192.168.106.128; deny all; } access_log /tmp/test.com.log zyshan; }
白名单测试
root@zyshanlinux-001 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:28:46 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Thu, 05 Jul 2018 11:35:20 GMT Connection: keep-alive ETag: "5b3e0278-13" Accept-Ranges: bytes [root@zyshanlinux-001 ~]# curl -x192.168.106.128:80 -I test.com/admin/ HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:29:47 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Thu, 05 Jul 2018 11:35:20 GMT Connection: keep-alive ETag: "5b3e0278-13" Accept-Ranges: bytes [root@zyshanlinux-001 ~]# cat /tmp/test.com.log 127.0.0.1 - [05/Jul/2018:21:50:44 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:52:09 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:21:52:51 +0800] test.com "/2.jshuh" 404 "-" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:22:16:09 +0800] test.com "/1.git" 404 "http://www.bai.du/1.txt" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:22:16:34 +0800] test.com "/1.git" 404 "http://www.test.com/1.txt" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:22:28:46 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0" 127.0.0.1 - [05/Jul/2018:22:29:28 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.106.128 - [05/Jul/2018:22:29:47 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
2、针对正则访问控制
修改配置:vi /usr/local/nginx/conf/vhost/test.com.conf 添加下面这段
location ~ .*(upload|image)/.*\.php$ { deny all; }
检查语法,加载配置
[root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -s reload
测试
[root@zyshanlinux-001 ~]# mkdir /data/wwwroot/test.com/upload [root@zyshanlinux-001 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php [root@zyshanlinux-001 ~]# curl -x127.0.0.1:80 -I test.com/upload/1.php HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:43:31 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@zyshanlinux-001 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.txt [root@zyshanlinux-001 ~]# curl -x127.0.0.1:80 -I test.com/upload/1.txt HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:44:13 GMT Content-Type: text/plain Content-Length: 5 Last-Modified: Thu, 05 Jul 2018 14:44:08 GMT Connection: keep-alive ETag: "5b3e2eb8-5" Accept-Ranges: bytes
3、根据user_agent限制
修改配置:vi /usr/local/nginx/conf/vhost/test.com.conf 添加下面这段
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') { return 403; }
检查语法,加载配置
[root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -s reload
测试
[root@zyshanlinux-001 ~]# curl -A "Tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:50:23 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
deny all和return 403效果一样
因为配置文件是严格匹配大小写的,所以tomatoa是状态码200
[root@zyshanlinux-001 ~]# curl -A "tomatoalsdkflsd" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.12.1 Date: Thu, 05 Jul 2018 14:53:27 GMT Content-Type: text/plain Content-Length: 5 Last-Modified: Thu, 05 Jul 2018 14:44:08 GMT Connection: keep-alive ETag: "5b3e2eb8-5" Accept-Ranges: bytes
如果想忽略大小写:修改配置,在匹配(~)后面加上*号
if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato') { return 403; }
Nginx解析php的配置
1、监听sock
修改配置:vi /usr/local/nginx/conf/vhost/test.com.conf 添加下面这段
配置如下: location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; ##注意这行路径不可写错,不然会报502的错。 fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; } ##fastcgi_pass 用来指定php-fpm监听的地址或者socket
测试前先创建一个php
[root@zyshanlinux-001 ~]# vi /data/wwwroot/test.com/3.php <?php phpinfo();
先不加载配置文件,测试一下php的解析,结果是解析不了,直接返回源码。
[root@zyshanlinux-001 ~]# curl -x127.0.0.1:80 test.com/3.php <?php phpinfo();
加载配置再测试,测试结果是成功了,访问到网页的源码,在浏览器上是一个很漂亮的表格形式。
[root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -s reload [root@zyshanlinux-001 ~]# curl -x127.0.0.1:80 test.com/3.php <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <style type="text/css"> body {background-color: #fff; color: #222; font-family: sans-serif;} pre {margin: 0; font-family: monospace;} a:link {color: #009; text-decoration: none; background-color: #fff;} a:hover {text-decoration: underline;} table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;} .center {text-align: center;} .center table {margin: 1em auto; text-align: left;} .center th {text-align: center !important;} td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;} h1 {font-size: 150%;} ...
特别要注意:
/usr/local/nginx/conf/vhost/test.com.conf配置文件中的fastcgi_pass unix:/tmp/php-fcgi.sock;路径要和/usr/local/php-fpm/etc/php-fpm.conf配置文件中的listen = /tmp/php-fcgi.sock一致。
2、不监听sock,改为监听IP和端口。
更改配置vi /usr/local/php-fpm/etc/php-fpm.conf
[global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] #listen = /tmp/php-fcgi.sock ##不监听sock listen = 127.0.0.1:9000 ##增加一行,改为监听IP和端口 listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024
更改配置vi /usr/local/nginx/conf/vhost/test.com.conf要与上面的IP端口一致
location ~ \.php$ { include fastcgi_params; #fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_pass 127.0.0.1:9000; ##这里要和php-fpm.conf的一致 fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; }
加载配置前,查看下端口:
[root@zyshanlinux-001 ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1228/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1095/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1451/master tcp6 0 0 :::22 :::* LISTEN 1095/sshd tcp6 0 0 ::1:25 :::* LISTEN 1451/master tcp6 0 0 :::3306 :::* LISTEN 1411/mysqld
加载配置后,需要重装一下/etc/init.d/php-fpm reload,监听的IP端口就出现了。
[root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 ~]# /usr/local/nginx/sbin/nginx -s reload [root@zyshanlinux-001 ~]# /etc/init.d/php-fpm reload ##需要重启php-fpm Reload service php-fpm done [root@zyshanlinux-001 ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1228/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1095/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1451/master tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 2119/php-fpm: maste tcp6 0 0 :::22 :::* LISTEN 1095/sshd tcp6 0 0 ::1:25 :::* LISTEN 1451/master tcp6 0 0 :::3306 :::* LISTEN 1411/mysqld
测试成功。
[root@zyshanlinux-001 ~]# !curl curl -x127.0.0.1:80 test.com/3.php <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <style type="text/css"> body {background-color: #fff; color: #222; font-family: sans-serif;} pre {margin: 0; font-family: monospace;} a:link {color: #009; text-decoration: none; background-color: #fff;} a:hover {text-decoration: underline;} table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;} .center {text-align: center;} .center table {margin: 1em auto; text-align: left;} .center th {text-align: center !important;} td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;} h1 {font-size: 150%;} h2 {font-size: 125%;}
总结:
出现502时
1、要检查php-fpm.conf和test.com.conf中的listen要对应fastcgi_pass的路径。
2、/usr/local/nginx/conf/vhost/test.com.conf配置文件中的root /data/wwwroot/test.com;路径要与fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.一致。
3、srw-rw-rw- 1 root root 0 7月 7 21:47 /tmp/php-fcgi.sock该文件权限必须是listen.mode = 666的权限。
4、php-fpm服务资源耗尽了,就会出现502,这时候需要去优化。
Nginx代理
跳转目标目录
[root@zyshanlinux-001 ~]# cd /usr/local/nginx/conf/vhost
创建代理proxy.conf配置文件,配置如下内容。
server { listen 80; server_name ask.apelearn.com; ##代理域名 location / { proxy_pass http://121.201.9.155/; ##代理目标IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
测试
[root@zyshanlinux-001 vhost]# curl ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/
用本地IP去访问代理的目标测试,失败
[root@zyshanlinux-001 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
[root@zyshanlinux-001 vhost]# yum install -y bind* [root@zyshanlinux-001 vhost]# dig ask.apelearn.com ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> ask.apelearn.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50873 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ask.apelearn.com. IN A ;; ANSWER SECTION: ask.apelearn.com. 189 IN A 223.94.95.10 ##得到IP ;; Query time: 42 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: 六 7月 07 22:06:48 CST 2018 ;; MSG SIZE rcvd: 61 [root@zyshanlinux-001 vhost]# vi proxy.conf ##修改代理的IP [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@zyshanlinux-001 vhost]# /usr/local/nginx/sbin/nginx -s reload [root@zyshancurl -x127.0.0.1:80 ask.apelearn.com/robots.txt ##成功用本地IP访问代理目标 # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/
拓展:
nginx.conf 配置详解 http://www.ha97.com/5194.html
http://my.oschina.net/duxuefeng/blog/34880
nginx rewrite四种flag http://www.netingcn.com/nginx-rewrite-flag.html http://unixman.blog.51cto.com/10163040/1711943
502问题汇总 http://ask.apelearn.com/question/9109
location优先级 http://blog.lishiming.net/?p=100
直播课老师推荐:
rewrite中的break和lasthttps://coding.net/u/aminglinux/p/nginx/git/blob/master/rewrite/break.mdnginx location优先级https://coding.net/u/aminglinux/p/nginx/git/blob/master/location/priority.mdNginx反向代理配置https://coding.net/u/aminglinux/p/nginx/git/blob/master/proxy/f_proxy.md